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Abstract. We propose a novel proof technique that can be applied to 
attack a broad class of problems in computational complexity, when 
switching the order of universal and existential quantifiers is helpful. Our 
approach combines the standard min-max theorem and convex approx¬ 
imation techniques, offering quantitative improvements over the stan¬ 
dard way of using min-max theorems as well as more concise and elegant 
proofs. 
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1 Introduction 

1.1 The Min-Max Theorem. 

The celebrate von Neumann min-max theorem [Neu28] states that every finite, 
two-player, zero-sum game has an equilibrium in mixed strategies. That is, the 
maximum value of the minimum expected gain for one player is equal to the 
minimum value of the maximum expected loss for the other. Any zero-sum game 
can be represented as a payoff matrix 


A = [A(x, y)} 


x£X,y£Y 


where A(x , y) is the payoff in case when the X-player chooses strategy x £ X 
and the F-player chooses strategy y £ Y, understood as a gain for the X- 
player and a loss of the F-player. The basic moves x € X,y £ F are called 
pure strategies (think of one of 3 options in the rock-paper-scissors game). We 
allow the players to use randomized strategies, which are called mixed strategies 
(think of picking a random answer in the rock-paper-scissors game) represented 
formally as distributions Px(-),Py{-) over X and F respectively, and analyze the 
expected payoff 



If the player X goes first, she can guarantee her gain to be at least 
MaxGain(X) = maxminEj^^ A(x, y), 

px v 

and when the player Y goes first he guarantees his lost to be at most 
MinLoss(T) = mmmaxF lyr ^p Y A(x,y), 

Py x 

where in both equations we used the fact that the second player always achieves 
the best response with some pure strategy. The min-max theorem guarantees 
that we have an equilibrium between the players. 

Theorem (Min-Max Theorem [ STeu28] ). With the notation as above (and 
players using mixed strategies), we have 

MaxGain(X) = MinLoss(Y'). 

Many more general versions of the min-max theorem exist. All of them assure 
the equality 

sup inf ' f(x,y) = inf'sup f(x, y) 
xexv€ Y v^ Y x£X 

under certain conditions imposed on the sets X, Y (for example both convex 
and compact subsets of a locally convex topological space) and the function / 
(for example continuity, convexity in y and concavity in x). The proofs typically 
use fixed point theorems. Min-Max theorems have a lot of applications in game 
theory, statistical decision theory, economy and theoretical computer science. In 
this paper we focus on applications in cryptography, and the simplest version 
will be enough for our discussion. 

1.2 Switching the order of quantifiers by the min-max theorem 

The min-max theorem may be used to change the order of quantifiers (minimiza¬ 
tion corresponds to the existential quantifier and maximization corresponds to 
the universal quantifier). A very good example is the classical hardcore lemma 
due to Impagliazzo [ lmp9f ]. The lemma stated informally says that if for every 
algorithm A there exists a large set of inputs on which A fails to compute a 
fixed function /, then in fact there exists a large set of inputs on which every 
algorithm fails to compute / with probability close to This particular lemma 
falls into a broad class of results in complexity theory which can be proven using 
the min-max theorem. We explain this technique before giving more examples. 

The general framework. Let A be a class of test functions (for example 
poly-size circuits) over a set of possible inputs I and C be a class of distributions 
over / satisfying certain desired properties (for example samplability, high den¬ 
sity, high entropy etc.), and v be a payoff function quantifies how well A performs 
on the input X (for example, unpredictability or distinguishing advantage). Sup¬ 
pose that we want to prove the existence of a distribution with certain properties 
for which every algorithm has bad (or alternatively good) performance. 


Dream Statement. There is a distribution over inputs (with some cer¬ 
tain properties) such that every algorithm performs badly/well. 

3X G C VA G A v(A, X) < c (1) 

In many cases, it is much easier to prove a weaker version, which gives the exis¬ 
tence of a distribution with desired properties but only for a chosen algorithm. 

Weak Statement. For every algorithm there is a distribution over in¬ 
puts (with some certain properties) such that it performs badly/well. 

VA €A3XgC: v(A ,AT)<c (2) 

Note that this condition is considerably weaker. Indeed, we will see that in 
many applications proving the existence of a suitable distribution A' for a fixed 
algorithm A is actually trivial. But the big question is whether Equation (2) 
implies Equation (1) 

Does the Weak Statement imply the Dream Statement? Suppose 
that Equation (2) holds. Can we conclude that Equation (1) also holds, 
with possibly somewhat weaker class A and a weaker parameter c? 

Note that we allow for some loss in quality (a weaker class of algorithms or 
a weaker payoff). Indeed, if both sets C and A are convex the answer is triv¬ 
ially “yes”, by the min-max theorem. However, in most applications the set A 
consists of efficient algorithms (circuits of a bounded size) and is not convex, 
because taking a mixed strategy corresponds to combining many algorithms by 
(possibly) inefficient sampling. For the same reason, the set C might not be con¬ 
vex. However, we might “embed” non-convex sets A and C into “almost” convex 
hulls of -4',C' which are (hopefully) still sufficiently good for our purpose, by 
taking moderately long mixed strategies, instead of arbitrarily long. Indeed, let 

VA G A VA G C 3A' G conv A 1 3X' G convC' : | v(A,X) - v{A', X')\ < S 

( 3 ) 


where the conv operator denotes the convex hull. We get the following 

Approximate Min-Max Theorem If the condition (3) holds, then 
the Weak Statement implies the Dream Statement is true with A and C 
replaced by A' and C'. 


1.3 Our contribution 

Summary. This framework is well known (cf. [BSW03,RTTV08,TTV08,Hol05,VZ] 
to mention only some papers closely related to our cryptographic applications). 
What we offer, is a novel approximation technique. Previous works used to find 
A' and X' in convex hulls by a trivial Chernoff approximation argument. We 
observe that much better results are obtained with a carefully chosen convex 


approximation technique. Indeed, it turns out that in many cases the quantity 
\v(A,X) — v(A', A')| can be upper bounded by the Holder Inequality which in¬ 
volves moments of A and X. These moments may be better estimated based on 
properties of the sets A and C which leads to quantitative improvements. We 
stress that the key component is the right choice of Holder conjugates, that is 
the exponents for the corresponding L p ,L q spaces. 

Advantages and Applications of our framework. Using our technique 
we prove a whole bunch of results, reproving what is already known in a more 
clear and concise way, improving quantitative bounds, or obtaining new results. 
Details are given in Section 2. 


1.4 Related Works. 

The work of [VZ] provides a tool to derive good bounds for certain sets C , in the 
uniform settings. We stress that we consider only non-uniform adversaries here. 
In fact, our results can be probably made uniform by the use of constructive ver¬ 
sions of auxiliary results on convex approximations we have applied (for example 
[DDGS97]). Anyway, uniform settings are not important for most of our appli¬ 
cations like leakage-resilient crypto. While [VZ] gives hard bounds, we provide 
a framework equipped with a different technique of handling C. Our technique 
can exploit moment conditions, which is impossible in [ ]. We stress that the 

crucial component of our technique is the 


2 Applications 

We briefly recall some basic notation and conventions. We say that two dis¬ 
tributions X-\, X -2 are (s, e)-indistinguishable if for every A of size s we have 

|EA(Xi)-EA(X 2 )| < e. 

2.1 Impagliazzo Hardcore Lemma 

Impagliazzo Hardcore Lemma. Suppose that are given a function / : {0, 1}" — > 
{0,1} that is mildly hard to predict by a class of circuits; for every circuit A 
from our class, A(x) and /(x) agree on at most, say, a 0.99 fraction of inputs 
x. This might happen when there is a set of noticeable size on which / is ex¬ 
tremely hard to predict, meaning that there is (almost) no advantage over a 
random guess. This set could be as big as a 0.02 = 2(1 — 0.99) fraction of input. 
Indeed, if / cannot be guessed better than with probability | on this set, then 
the probability that D agrees with / is at most 0.02 • i + 0.98 • 1 = 0.99. 

Quite surprisingly, this intuitive characterization is true. The first such result 
was proved by Impagliazzo [Imp95], with a sub-optimal hardcore density. An 
improved version with the optimal density of the hardcore set was found by 
Holenstein [Hol05] . Below we present the best possible result due to Klivans and 
Servedio, the lower bound was given in [LTW07]. 


Theorem 1 (Optimal Unpredictability Hardcore Lemma [ CS03]). Let 
f : (0, l} n —> {0,1} be e-unpredictable by circuits of size s under a distribution 
V, that is 


PrJA(a;) = f(x)] < 1- 

x<-V l 


for every A of size at most s. 


(4) 


Then for any 6 £ (0,1) there exists a event E of probability e such that f is 1 — 6 
unpredictable under V\E by circuits of size s' = 17 (s6 1 2 / log(l/e)), that is 

Pr [A(x) = /( x)] ^ i—, for every A of size at most s'. (5) 

Xi-V\E 2 


Our Contribution. We reprove Theorem 1 using the framework discussed in 

Section 1.3. Our approach has the following advantages over the related works: 

(a) It is derived from the standard min-max theorem. Previous proofs which 
achieve optimal parameters require involved iterative arguments [KS03,VZ]. 

(b) It is modular and much simpler than all alternative proofs. Indeed, the 
argument of Holenstein is non-optimal and involved. Also the argument given 
by Vadhan and Zheng depends on a non-trivial trick attributed to Nissan and 
Levy (which improves the hardcore density from | to e) and the machinery is 
much heavier. Our approach does not require this trick and follows the most 
intuitive strategy: show that there is a hardcore for every fixed adversary 
and then switch the order of quantifiers. 

(c) We have identified the reason for non-optimality in previous proofs. Some 
authors even suggested that it might be impossible to get the tight param¬ 
eters using the standard min-max theorem [VZ]. We show that this is not 
true. The problem is not with the standard min-max theorem but with an 
inadequate approximation argument in previous works, which do uniform 
approximation [Hol05]. 

A comparison is given below in Table 1. 


Author 

Technique 

Hardcore Density 

Complexity Loss 

[Imp95] 

boosting (constructive approx.) 

Pi[E] = | 

0(6-* ■ poly(l/e)) 

[ 

standard min-max -f Hardcore Optimization 

PrfE] = e 

0(n6-' z ) 

[ ] 

complicated boosting (constructive approx.) 

PrfE] = e 

0(Iog(l/e)tf—) 

[VZ] 

complicated boosting (constructive approx.) 

PrfE] = e 

O(log(l/e)6-*) 

this paper 

simple min-max + L p -approx. 

PrfE] = e 

0(\og(l/e)S-*) 


Table 1: Hardcore lemmas obtained by different techniques. 

A sketch OF proof. Assume without losing generality that / : (0, l} n —► 
{—1,1} 1 . Define the payoff v as the unpredictability of / by A under X 


v 


(Zt,X) d A f Pr [f(x) = A(x)] = 


1 + E^xA^) • f(x) 


x<-X 


1 We consider {—1,1} outputs for technical convenience. Equivalently we could state 

the problem for {0, 1}. 














and note that this definition makes sense also for circuits with real outputs. Let 
the property set C consists of conditional distributions of the form X = V\E 
where Pr(E] ^ e and E may vary 2 ; note that C is convex. Define A as the 
set of real-valued 3 circuits of size s, and let A' be the set of circuits of size 
s' = IF s iog(i/e) • It i s n °t h ar d to see that the assumption (4) implies 

Proposition 1 ( Weak Statement ). For every A £ A we have v(X,A) ^ 0 
for some X £ C. 

Now we analyze what happens when we replace A by conv(A / )- We claim that 

Proposition 2 (Approximation Step). For every A' £ corn^A') we have 
v(X, A 7 ) ^ S for some X £ C. 

To prove this, we show that the Holder Inequality implies for A, A' and X £ C 
\v(X,A)-v(X,A')\ < i (E x ^ v ( P p^ ) )") ? |A(x) - A'(x)| p )* 

for any p, q ^ 1, - ^ = 1. Now we can argue that 

(a) ( F p^(F ) ) ) ) ^ e p (by the extreme points technique). 

(b) (E x< _y |A(x) — A'(x)| P ) p = O (\/f) for some A which is of complexity £ 
relative to A' 4 (by standard facts on convex-approximation [DHA97]). 

Setting £ = <5 _2 log(l/e) (so that A £ A ), taking X = V\E which corresponds 
to A' according to Proposition 1, setting p = 21og(l/e) and putting this all 
together we get Proposition 5. This implies the following statement 

Proposition 3 ( Strong Statement ). For some X £ C we have v(X 1 A) ^ 6 
for every A £ A'. 

which proves Theorem 1 (|u(A, A)| ^ S follows by considering A! closed under 
complements). 

2.2 A (new) optimal hardcore lemma for metric pseudoentropy and 
applications to transformations. 

Pseudoentropy notions extend classical information-theoretic entropy notions 
into computational settings. The following most widely used entropy notions 
capture what it means to be “computationally close” to a high entropy distri¬ 
bution. 

2 We can think of measures M such that M(-) < Py(-) and J2 x M(x) ^ e. Every 
X £ C can be written as Px(-) = M(-)/ M(x) for one of these measures M. 

3 Following related works [FOR12,RTTV08] we use circuits with real outputs for tech¬ 
nical reasons. 

4 That is, A is a convex combination of l members of A' 






Definition 1 (HILL Pseudoentropy [HILL99]). Let Y be a distribution 
with the following property: there exists Y' of min-entropy at least k such that 
for every A of size at most s we have |EA(Y) — EY')| ^ e. Then we say that 
X has k bits of HILL entropy of quality (s,e) and denote by H™ LL (Y) ^ k. 

Definition 2 (Metric Pseudoentropy [BSW03]). Let Y be a distribution 
with the following property: for every A of size at most s there exists Y' of min- 
entropy at least k such that we have | E A(Y) — E Y')\ ^ e. Then we say that X 
has k bits of metric entropy of quality (s,e) and denote by H^ t ® trlc (Y) ^ k. 

Pseudoentropy is an important research area, with applications in deterministic 
encryption, memory delegation [CKLR11], pseudorandom generators [HILL99,VZ] 
Metric Pseudoentropy is much easier to deal with, and fortunately can be con¬ 
verted into HILL entropy with some loss in quality parameters (s, e). 

OUR contribution. The following results shows that any distribution with 
metric pseudoentropy of ‘moderate” quality has a kernel of HILL entropy with 
“strong” quality. We also conclude the optimal Metric-HILL transformation. 

Theorem 2 (A HILL-pseudoentropy hardcore for metric pseudoen¬ 
tropy). Suppose that H^® trlc (Y) ^ n — A, for some Y £ {0,l} n . Then there 
is an event E, of probability 1 — e such that H™^ L (Y|i?) ^ n — A with s' = 
I2(sS 2 /(A + 1)) for every 5. In particular, H™^^(Y) n — A 
One possible application of this fact is amplifying hardness of pseudoentropy with 
poor quality. Imagine that we have many independent samples X\,Xi ,... ,X n 
from a distribution with a substantial entropy amount (A <C n ) but of weak 
advantage e = 0.99. We can use the result above to show that pseudoentropy in 
Xi, X 2 , ■ ■ ■ ,X n is roughly (1 — 0.99)(n — A) with good quality (see [Skob] for 
more details). Below we briefly compare this result with related works. 

(a) Our result is far stronger than the classical result due to Barak et al. [BSW03] 
about the transformation. Not only we replace the factor n by A, but also 
show the existence of a hardcore in the intermediate step. 

(b) This result unifies and improves our recent results [Skoa,Skob], The corollary 
H™t[^(Y) ^ n — A was the same (and optimal) but the hardcore E was 
found with worse complexity s' = H(s ■ 6 2 /n). 

(c) Our result explains the nature of the Metric-HILL transformation. The HILL 
pseudoentropy hardcore is an intermediate step in going from Metric pseu¬ 
doentropy to HILL pseudoentropy. 

Our result is illustrated in Figure 1. The parameters are optimal (see [Skob]). 

A SKETCH OF PROOF. Let A be the set of real-valued circuits of size s and let 
A! be the set of circuits of size s' = sd 2 /(Z\ +1). Let C consists of the conditional 
distributions X of the form X'\E , where PrfA] ^ 1 — e and Hoc (AT') > n — A\ 

dc f 

this set is convex. The payoff is defined as v(X,A) = EA(Y) — EA(Af). It is 
easy to see 5 that we have 

5 This is trivial for boolean A and somewhat more tricky for real-valued A. A short 
proof is given implicitly in [FOR12] 



s' = s-S 2 /{A + \) s" = s' 

t = 8 (this paper) t" = t +1 (trivial) 

5 arbitrary, Pr[iJ] = 1 — e, <5 arbitrary 


H“f ric (F) ^n- A 


H“,^, L (y|E) > rc - 4 


H ™ L e b(y) >n- A 


s" = s ■ S 2 /(A + 1) 

e" = £ + & ([Skoa,BSW03]) 

6 arbitrary 


Fig. 1: The Metric-to-HILL pseudoentropy transformation. 


Proposition 4 ( Weak Statement ). VA E A 3A' E C v(X, A) ^ 0. 

Now we analyze what happens when A is replaced by conv(yt'). 

Proposition 5 (Approximation Step). For every A' E conv(M') we have 
v(X, A') ^ 5 for some X E C. 

To prove this, by the Holder Inequality for any A, A' and X £ C we show 

KX,A) -u(X,A')| ^ (E,^ ( 2 n V nE {x)) q y ■ (E x ^u |A(:r) - A'(:r)| p )^ 
for any p,q ^ 1, ^ ^ = 1 and the uniform distribution U. Now we argue that 

(a) (E x< _c/ (2 n V Y \E{x)) q ) 5 ^ 2“ (by the extreme points technique). 

1 

(b) (E x< _y |A(x) — A'(:r)| P ) p = O (-\/f) for some A which is of complexity £ 
relative to A' (by standard facts on convex-approximation [DHA9 ]). 

Setting £ = 8~ 2 {A + 1) (so that A E A), taking X = X'\E which corresponds to 
A' according to Proposition 1, setting p = A + 1 and putting this all together 
we get Proposition 5. This implies the following statement 

Proposition 6 ( Strong Statement ). 3X E C VA E A' v{X 1 A) ^ <5. 

This directly implies Theorem 2 (as before, we consider A' closed under com¬ 
plements). More details can be found in Appendix D. 


2.3 A (fixed) construction of a simulator for auxiliary inputs. 

In [ L4] there is a theorem, which says that any short information Z about X 

can be efficienly simulated from A', Below we state the corrected version [Pic 15]. 






Theorem 3 (Simulating auxiliary inputs, flaws fixed). For any random 
variable X £ {0,1}", any correlated Z £ (0,1} A and every choice of parame¬ 
ters (e, s) there is a randomized function Sim : {0,1}™ —> {0,1} A of complexity 
O (s ■ 2 4A e -4 ) such that Z and Sim (X) are (e, s)-indistinguishable given X. 

This result is the key component in the simplified analysis of the EUROCRYPT’09 
stream cipher construction. Using Theorem 3, as described in [ P14], one proves 
the resilience of the cipher (assuming bounded leakage in every round) and if 
the underlying weak PRF is (s, e)-secure against two queries on random inputs. 
The cipher security (s', e') is related to (s, e) by a polynomial loss in e. 

OUR contribution. We describe a flaw in the proof and improve the corrected 
bound by a significant super polynomial factor. Below we briefly describe the 
significance of our result 

(a) Discovered flaws in the recent (TCC’14) analysis of the EUROCRYPT’09 
stream cipher. The alternative bounds seem correct but are much weaker. In 
particular, we get no meaningful security with the AES used as a weak PRF 
in this construction 6 . This raises the problem of whether the cipher built on 
AES is secure or not. We would need a simulator with a loss of only 0(e~ 2 ) 
not e -4 in complexity. 

(b) A simpler construction based on the min-max theorem. Based on the frame¬ 
work in Section 1.3 we give an alternative proof achieving the simulator com¬ 
plexity of O (s • 2 2A e -4 )). The gain of 2 2A over the original approach, which 
is a power of e for recommended values of parameters [ IP 14], comes from the 
use of convex approximation techniques. Our proof is considerably simpler 
and quantitatively better than in [JP14] (in particular we don’t need to use 
the min-max theorem twice depending on what is the value of the game). 
Also, it is much simpler than the alternative approach of Vadlian and Zheng 
[VZ], yet yields comparable results for small leakages (see Table 2). 

(c) A clear bound on the security level , in terms of the time-success ratio. We de¬ 
rive a clear formula which shows what fraction of the security of the original 
weak PRF is transformed into security of the stream cipher. This analysis 
shows that we are far from good and provable secure leakage-resilient stream 
ciphers as we lose over | of original security. For more details, see Table 2. 

In Table 2 we compare the strength of the simulator theorems in terms of implied 
security for this construction. To our knowledge, this is the first analysis of the 
time-success ratio for this technique. For more details we refer to Appendix E. 

More ON the FLAWS. In the claimed better bound O (s • 2 3A e -2 ) there is a 
mistake on page 18 (eprint version), when the authors enforce a signed measure 
to be a probability measure by a mass shifting argument. The number M defined 
there is in fact a function of x and is hard to compute, whereas the original 

6 The final bounds on the cipher security depends on the simulator complexity and 
are given by t = O (^V^Ae) and s' = s ■ 2 _4A e' 4 . We can’t prove then even very weak 
security e = 2 -32 having A = 10 bits of leakage! 



Author 

Technique 

Simulator Complexity 

Implied Security 

[JPU] 

Standard Min-Max + Loo-approx. 

„ q4A —4 

Sh = s • 2 e 

t / fe 5 \ 

^ — fi 

[VZ] 

Complicated Boosting 

qA —2 | qA —4 

Sh — s • 2 e -j- 2 e 

^|-c 

1 

■^I'O 

II 

this paper 

Standard Min-Max + L p -approx. 

s h = s ■ 2^e~ i 

V = 1 - 4 A 


Table 2: Security of the EUROCRYPT’09 stream cipher instantiated with a 
wPRF having 2 k keys and A bits of leakage, obtained from different simulator 
results. Every attacker of size s succeeds with prob. at most s/2 k 


proof assumes that this is a constant independent of x. In the alternative bound 
O (s ■ 2 3A e~ 2 ) a fixable flaw is a missing factor of 2 A in the complexity (page 16 
in the eprint version), which is because what is constructed in the proof is only 
a probability mass function, not yet a sampler [Picl5]. 

A sketch OF THE PROOF. Let A be the set of real-valued circuits of size s 
and let A! be the set of circuits of size s' = s ■ 2~ 2A e 2 . Let C 1 consists of the 
distributions of the form X , h(X), where h is computable in size s ■ 2 A ; this set is 
not convex. Let C be the set of all circuits of size s ■ 2 2A e~ 2 . The payoff is defined 
as v(h, A) = EA(Af, h(X)) — EA(A, Z). It is easy to see that we have 
Proposition 7 ( Weak Statement ). VA E A 3 h! E C v(h',A ) ^ 0. 

Indeed, consider h\ which for every x outputs this value z for which A (a;, z) = 
max A(a;, •) and h ]^ which for every x outputs this value z for which A(x, z ) = 
minA(a;, •). Both are of complexity 0(2 A ). Since we have EA(X,/i“(A)) ^ 
EA(X, Z) and EA(X, Z) ^ E A(X, h + (X)), setting h ' to be a distribution over 
h + and h~ that is Pr [h’(x) = z] = 9 ■ Pr [h~(x) = z] + (1 — 9) ■ Pr[/i + (x) = z ], 
we get v(h', A) = 0 with some 9. In the next step we replace A! by conv(Al'). 

Proposition 8 ( Approximation 1 ). VA E convA' 3h' E C : v(h', A') ^ e. 

This follows from the standard Chernoff Bound approximation argument' as 

\v(h',A)-v{h',A')\ = | E A(A, h'(X)) — E A'(X, h'(X))\ < sup |A(®,a:) - A'{x,z)\ 

X,Z 

Now we replace C by conv C'. Here a more delicate approximation is required. 

Proposition 9 ( Approximation 2). For every A and every h! E conv C 
there exists h E C such that v(h , A) ^ v{h' 1 A) + e. 

This follows because by the Holder Inequality applied to p = q = 2 we obtain 
| E A(X, h'(X)) - E A(X, h(X))\ <2^ ^ ^ \P xMx) (x, z) - P x , h . {x)(x , z) \ 2 j 


' A can be viewed as a distribution on A' we simply pick £ independent samples {Ai}i 
and try to find an approximator of the form A' = | X)i=i A,. It deviates by more 
than e at (x, z ) with probability exp(— 2£e 2 ). We combine this with the union bound. 










and by the standard results on convex approximation [DDGS97] the second 
factor is at most for some h of complexity i with respect to C. We put 
I = 2 x e~ 2 . From the proven propositions we obtain the final result. 

Proposition 10 ( Strong Statement). 3h £ C VA £ A! v(h, A) ^ 2e. 

2.4 More Applications 

For more applications we refer an interested reader to Appendix A. They in¬ 
clude the optimal Dense Model Theorem, a better auxiliary input simulator 
for bounded-variance adversaries (new), and a proof that every high-conditional 
entropy source can be efficiently simulated (new, extending [TTV08]). 
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A More Applications 


A.l Dense Model Theorem 

Given a pair of two distributions W and V over the same finite domain we say 
that W is (5-dense in V if and only if Pr [W = x] < Pr[U = a;]/<5 8 . The efficient 
version of the famous dense model theorem specialized to the boolean case, can 
be formulated as follows: 

Theorem 4 (Dense Model Theorem.). Let V be a class of n-bit boolean 
functions, R be uniform over {0, l} n , X be an n-bit random variable and let X' be 
S-dense in X. If X and R are (T>, e)-indistinguishable then there exists a distribu¬ 
tion R' which is 5-dense in R such that X' and R' are (V,e') -indistinguishable, 
where e' = (e/5)°^ and T> consists of all functions of the form g(D \,..., Di ) 
where Di £ T>', I = poly(l/(5,1/e) and g is some function. 

Using our framework we can reprove the Dense Model Theorem with opti¬ 
mal parameters due to Zhang [Zhall]. The proof is very similar to the one 
in Theorem 2 so we omit the details; we note that we need the Holder Inequality 
with p = 21og(l/i5). A similar technique appears in [Skoa], though we do note 
use Metric pseudoentropy here. 

Corollary 1. Dense Model Theorem (Theorem f) holds with e' = 0(e/S), g 
being a linear threshold and I = 0(log(l/5)/(e/5) 2 . 


Author 

Technique 

Function g 

i as complexity of D' w.r.t T> 

e' vs e 

Tao and Ziegler 

Complicated 

Inefficient 

l = poly(l/(e/<S),log(l/<5)) 

E ' = 0(e/S) 

j 

Min-Max Theorem 

Linear threshold 

P°ly( 1 /(e/<5), log(l/<5)) 

e' = 0(e/S) 

,12], [DP08] 

Metric Entropy 

Linear threshold 

i = 0(n/(e/6y) 

e’ = 0(e/6) 

all] 

Boosting 

Linear threshold 

1 = 0(log(l/<5)/(e/«5r 

C = 0(e/S) 

This paper 

Standard Min-Max + L p -approx 

Linear threshold 

i = 0(log(l/«)/(e/ir 

e' = Q(e/S) 


Table 3: Different versions of the Dense Model Theorem 


A.2 Simulating auxiliary inputs against bounded-variance 
distinguishers 

An interesting result is obtained when working more carefully in the proof of 
Theorem 3. Namely, imposing additional restriction on the second moment of 
test functions we obtain a refined bound 


The term “<5-dense” comes from the fact that V can be written as a convex combi¬ 
nation of W with weight S and some other distribution with weight 1 — 8 














Theorem 5 (Simulating auxiliary inputs against bounded-variance dis¬ 
tinguishes). For any random variable X £ {0, l} n , any correlated Z £ {0,1} A ; 
any class A be of functions A : {0,1}" x (0, l} m — > [0,1] such that VA £ A : 
Ex VarA(:r, U) ^ a 2 , and every e there is a randomized function Sim : {0, l} n —> 
{0,1} A of complexity O (s • 2 4A ere“ 4 ) relative to A such that Z and Sim (A) are 
e-indistinguishable given X by functions A. 

This result is interesting in the context of recent improvements in key derivation, 
so called square security, where the second moment condition is widely used. 


A.3 Simulating High Entropy Distribution with Auxiliary 
Information 


From our framework we derive the following result, which is the extension of 
the theorem in [TTV08] into a conditional case (in the presence of auxiliary 
information). We stress that this result cannot be derived from the techniques 
used in [TTV08], because this approach will not preserve the same marginal 
distribution Z , when applied in the conditional setting. 

Theorem 6 (High conditional min-entropy is simulatable). Let X £ 

{0, l} n and Z £ {0, l} m be correlated random variables and H 00 (A| Z) = n— A. 
Then there exists a distribution Y , Z such that 

(a) There is a circuit Sim of complexity 0(n(n + m)2 2A e~ 5 ') and such that 
Sim (Z) = Y 

(b) (X,Z) and (Y, Z) are (s , e) -indistinguishable 

(c) We have Hoo(Y\Z) ^ n — A — 6. 

Here we show only how to simulate given a fixed distinguisher. The rest of the 
proof follows by the use of a convex approximation argument (with p = q = 2) 
and allows us to save a factor of 2 2A in the simulator complexity. 

Proof (Proof of the weak statement). Let A = n — k. By replacing e with 2e we 
can assume that V = Xu=i a i^i where a t = 1 — (i — l)e for i — 1 ,..., [1/e] and 
T>i are boolean such that 1 = JA T>i. Define 

d(t)=Pr[D(Cf)>ai]. (6) 


and let M be the smallest number i such that d(i) ^2 A Note that if we didn’t 
care about computational efficiency then the best answer would be 


v+ - !) 
2~ A ' 


U'D 1 


. .-\-T>M — 1 


- A - d(M - 1) 


U-Dm 


(7) 


because then 


ED(y+) = 


Efii 1 ailDil + (2 fc - Etii 1 «iPi|) «m 

27 


= max ED(y) 

Y: H oa (Y)^k 


( 8 ) 





The approach we chose is quite obvious - we efficiently approximate the distri¬ 
bution Y + . For any i, sample xi,...,xe where i > 2 4 ?rlog(l/e)/e and let 


l 

d{i ) = ^ _1 Y !{ d (**)»«*} ( 9 ) 

j =i 

Now let M' be the smallest number such that d(M') > | • 2~ A . Note that that 
M' is well defined with probability 1 — 2 ~ n , and then we have 

d(M' - 1) < ^ • 2~ a < d(M') (10) 

Now we define Y as follows: 

d f • U Di +...+d m ,_ 1 + (l - • Uv Ml 2- A e < d(M' - 1) < 2" 

F = \ U Dl+ ... +LLu ,_ 1 , 2~ a /16 < d{M' - 1) 

{ Ut> m , , 2~ A e > d(M' — 1) 

(ID 

Observe that if d(i ) < 2 _zi /4 then with probability 1 — 2~ n we get d[i) < 2~ A /2. 
Thus, the probability that d(M') < 2~ A /4 and d(M') > 2~ A /2 is at most 
2 _ "log(l/e) and we can assume that d(M') > 2~ A /4. Similarly, if d(i) > 2~ A 
then with probability 1 — 2~ n we have d[i) > | • 2~ A which means M' ^ i. 
Therefore, with probability 1 — 2~ n log(l/e) we can assume that d{M'— 1) < 2~ A . 
Now we split the analysis into the following cases 

(a) d{M' - 1) < 2~ A e and d{M' - 1) < 2 • 2~ A e. Since |D M '| = 2"(d(M') - 
d(M'— 1)) > 2 n ~ A /8, we see that Uv M , is samplable in time O (2 A log(l/e)) 
and that tt 00 (Ux> M ,) ^ k — 3. Note that 

ED(F+) =ED(F+)l D(y+) ^ M ,_ i +ED(y+)l D(y+)w , 
s% 2e + olm’ 

<3e + ED(F) (12) 

(b) d(M' — 1) > 2~ A /\& and 2~ A > d(M' — 1) > 2 _zi /32. Then we have 
|Di| + ... + |D M '-i| ^ 2 n ~ A ~ 5 and thus H 00 (Ud 1 +...+v m ,_ 1 ) > n- Z\ - 5 
and Uv 1 +...+v M ,_ 1 is samplable in time O ( 2 A log(l/e)). Since |Di| + ... + 
|Dm'-i| ^ 2 n ~ A , we have 

ED(F + ) < ED({7d 1 +...+x> m ,_ 1 ) 

<ED (U Vl+ ...+-D M ,_ 1 ) + e (13) 

(c) 2~ A e < d{M’ - 1) < 2~ a /1Q and 2~ A e/2 < d{M’ - 1) < 2~ A /8 and d{M’ - 
1) s? 2 d{M' - 1). We have |Di| + ... + |D M '-i| = 2 n d{M' - 1) > 2 n ~ A e/2 
and \Dm'\ = 2 n (d(M') — d(M' — 1)) ^ 2” _zi /8, therefore Y is samplable in 


/16 



time O ( 2 A log(l/e)/e). Moreover, we have H 00 (Ut> 1 +...+t> m ,_ 1 ) > log(|Di| + 
... + |D M '-i|) and H oc (C/- D m ,) > log|D M /|. Hence H 00 (Ut> 1 +...+-d m ,_ 1 ) > 
n + log d(M' — 1) and H 00 (U'p M ,) > n — A — 3 and 


Pr[y = x] 




d(M' - 1) 
d{M' - 1) 


2—n+Z\ _|_ 2 _ n+zA+3 


< 2 


-n+il+4 


(14) 


Suppose now that d(M' — 1) < 2~ A e/2. Then, by the Chernoff Bound with 
probability 1 — 2~ n we have d(M' — 1) < 2~ A e/2 + d(M' — 1) < 2~ A e and we 
are in case (a). If 2~ A e/2 < d{M' — 1) < 2~ A /2>2 then with probability 1 — 2~ n 

we have \ < 2 and it is easy to check that we can be either in (a) 

or in (c), depending on d{M' — 1). If 2 -/i /32 < d(M' — 1) < 2~ A /8 then with 
probability 1 — 2~ n we are either in (c) or in (b). If 2~ A /8 < d{M' — 1) < 2~ A 
then with probability 1 — 2~ n we can be only in (b). 


B Convex Approximation Rates 

We use the following fact on convex approximation rates. 

Lemma 1 (Convex approximation in L p spaces [DDGS97]). Let X be a 

finite domain, v be a distribution on X. Fix a number 1 ^ p < +oo and for 

1 

any function f on X define \\f\\ p = (E x< _jy \f{x)\ p ) p . Let Q be any set of real 
functions on X, let g be a convex combinations of functions from Q and K > 0 
be such that for all g € G we have \\~g — g\\ P ^ K. Then for any l > 0 there exists 
a convex combination g' = XZ=i of functions gi, ■ ■ ■, gk & S such that 

\\9-9'\\v^^T 

l 1 t 

where t = min(2,p) and C p = 1 */1 ^ p ^ 2, C p = \/2[r{{p + 1)/2)/yZr] 1 ^ for 
2 < p < +oo. 


C Proof of Theorem 2 

To finish the proof it remains to justify the estimates 

(E,^(2"P r | B (x)) 9 )’ <2# (15) 

and 

(E^y |A(x) — A'(x)| P ) P = ^ (J f° r A of complexity £ r. t. A' (16) 


The first follows by noticing that the quantity is convex with respect to Y\E £ C. 
Thus, the maximum is attained at one of extreme points which is, in this case, 
a flat distribution. The second fact follows from Lemma 1. 





D Proof of Theorem 2 


To finish the proof it remains to justify the estimates 


(E x ^u {2 n P Y \ E (x)) q y 


( 17 ) 


and 



The first follows by noticing that the quantity is convex with respect to Y\E £ C. 
Thus, the maximum is attained at one of extreme points which is, in this case, 
a flat distribution. The second fact follows from Lemma 1. 

E Time-Success Ratio for Auxiliary Input Simulator 
Analysis of Stream Ciphers 

E.l Preliminaries 

Weak pseudorandom functions, are indistinguishable from random functions, 
when queried on random inputs and fed with iniform secret key. 

Definition 3 (Weak pseudorandom functions). A function F : {0, l} fe x 
{0, l} n —> {0, l} m is an (e, s, q)-secure weak PRF if its outputs on q random, 
inputs are indistinguishable from random by any distinguisher of size s, that is 


q 

i= l > 


9 

*=l > 


(Ri)U i) = 1]K e 


F((M;)? =1 ) = 1] —Pr[D((W) 


|Pr[D((W) 


where the probability is over the choice of the random Xj £- {0, l} n , the choice 
of a random key K £- {0, l} fc and Ri ■£- {0, l} m conditioned on Ri = Rj if 
Xi = Xj for some j < i. 

Stream ciphers generate a keystream in a recursive manner. The security means 
that the output stream should be indistinguishable from uniform 9 . 

Definition 4 (Stream ciphers). A stream-cipher SC : (0, l} fc —> {0, l} fe x 
{0, l} n is a function that need to be initialized with a secret state So £ {0, l} fc 
and produces a sequence of output blocks X±,X 2 ,... computed as 


C Si,Xi ) := SC(Si-i). 


A stream cipher SC is (e, s, q)-secure if for all 1 ^ ^ q, the random variable Xi 

is (s, e )-pseudorandom given Xi,Xi-i (the probability is also over the choice 
of the initial random key So)- 

9 We note that in a more standard notion the entire stream X \,... , X q is indistin¬ 
guishable from random. This is implied by the notion above by a standard hybrid 
argument, with a loss of a multiplicative factor of q in the distinguishing advantage. 



Now we define the security of leakage resilient stream ciphers, which follow the 
“only computation leaks” assumption. 

Definition 5 (Leakage-resilient stream ciphers). A leakage-resilient stream- 
cipher is (e, s, q, X)-secure if it is (e,s,q)-secure as defined above, but where 
the distinguisher in the j-th round gets A bits of arbitrary deceptively chosen 
leakage about the secret state accessed during this round. More precisely, be¬ 
fore ( Sj,Xj ) := SC(Sji) is computed, the distinguisher can choose any leakage 
function fj with range {0,1} A , and then not only get Xj, but also Aj := fj(Sji), 
where Sj\ denotes the part of the secret state that was modified (i.e., read and/or 
overwritten) in the computation SC(Sji). 

Finally, we recall the standard notion of time-success ratio. It is very useful in 
quantifying how much security is transformed from the underlying primitive to 
the constructed object by the reduction. 

Definition 6 (Time-Success Ratio). We say that a cryptographic protocol 
has k bits of security (or that it is 2 k -secure) if for every s and any adversary 
A of size s the advantage A (probability of winning in the security game) is at 
most e < s/2 k . 

E.2 Time-Success Ratio Analysis 

Suppose that we have a simulator which guarantees if we have a simulator 
with complexity th = O (t ■ Ae~ a + Be~ /3 ) then, according to [JP14], we have a 
(s', e', < 7 )-secure stream cipher where 

e' = O (q ■ V^e) , s' = Q (s • A^ie') 01 ) - A- 1 R(e')“ _/3 (19) 

Suppose that we want to prove 2 k -security in the sense of Definition 6. That 
is, we need to prove s'/e' ^ 2 k for every time-advantage pair (s',e') such that 
s' ^ 1, where k! is possibly big. Note that for a weak PRF we can assume the 
security s « 2 k e for every e, that is that the best attack is by a brute-force search 
over the key space (see [JP1 ] for more justifiction). One can argue that, under 
the transformation (19), the worst-case adversary profile is when e' ~ 2~ k and 
s' ~ 1. Pugging this in Equation (19), and using the fact that s' > 1 we obtain 

2 k _ 2 - 2 fc'-A > A . (2~k'^j a + B-(2~ k '^ /3 . 

Substituting different values of A, B , a , ft which correspond to the particular- 
bounds, we get the values in Table 2. 


